25 May 2019 marks the one-year anniversary of the much-discussed General Data Protection Regulation (GDPR) entering into force. Since the Dutch Data Protection Authority (Dutch DPA) also recently published its 2018 annual report, now is a good time to take stock of it all. What has one year of GDPR yielded? Have high fines been imposed and, if so, for what type of violations? And what do you need to watch out for in 2019?

Annual report 2018

As shown in the annual report, 2018 was a hectic year for the DPA. Not only did the GDPR come into force, the DPA also hired many new employees along with setting-up and implementing a new organisational structure.

In the report, the DPA indicates that in 2018 it deliberately chose to focus on promoting compliance with the privacy regulations. Their approach entailed investing heavily in providing information and advice, on the one hand, and seeking to stop any violations instead of imposing sanctions after the fact, on the other hand.

Some headline figures for 2018:

The DPA received over 11,000 complaints and nearly 21,000 data breach notifications.

720 complaints and 298 data breach notifications were dealt with through an intervention, such as a letter or discussion in which the DPA explained the privacy regulations.

The DPA completed 16 investigations and started 17 enforcement procedures, which resulted in sanctions being imposed on the likes of Uber, the Tax and Customs Administration and the Employee Insurance Agency (UWV)*, to name a few. Uber was fined EUR 600,000 for failing to notify a data breach promptly. The Employee Insurance Agency (UWV) was fined for failing to equip the secure access to its employer portal with multifactor authentication. The National Police were ordered to pay a fine for the inadequate security of an IT system. InsingerGilissen Bankiers were fined EUR 48,000 for not complying with a personal data access request. Finally, the Tax and Customs Administration was prohibited from using the Citizen Service Number in the VAT number as from 1 January 2020.

Several audits were carried out in the public and private sectors, investigating matters such as whether a Data Protection Officer had been registered, whether a data register had been set up and whether a privacy policy had been drawn up.

Year-on-year comparison

A comparison of these figures with those of previous years, shows an explosive increase in the number of data breach notifications since this obligation was introduced in 2016. However, enforcement and sanctions (including fines) are increasing slowly.

2014

2015

2016

2017

2018

Data breach notifications

–

–

5,700

10,009

20,881

Enforcements

13

17

20

20

17

Penalty

0

0

0

0

1

Collection/recovery

0

0

0

1

2

Elsewhere in Europe

What are regulators doing elsewhere in Europe? Several Member States have already seen the first fines imposed for violations of the GDPR, examples include:

In March 2019, the Polish regulator fined a Polish company EUR 220,000 for breach of the obligation to provide information. The company had created an extensive database of personal data that it had collected from public sources, but without informing the data subjects.

In January 2019, the French regulator fined Google EUR 50,000,000 for lack of transparency, breach of the obligation to provide information and obtaining consent unlawfully.

In February 2019, the Maltese regulator fined the Maltese Land Registry EUR 5,000 for failing to properly secure an online portal.

In September 2018, the German regulator (more specifically the one from Baden-Württemberg) fined a German social network EUR 20,000. The social network had reported a data breach in which users’ passwords and e-mail addresses had been leaked. Follow-up investigations by the regulator revealed that password encryption had not been used, thus violating the obligation to take appropriate security measures.

In September 2018, the Austrian regulator imposed a fine of EUR 5,280 on a betting shop that used a video surveillance system for which there was no legal basis and that stored the recordings for too long.

What does 2019 have in store?

In its annual report, the DPA explicitly states that in 2019 the focus will shift from information to enforcement. Enforcement will be stepped up in 2019. While the DPA currently still often focuses on ending any (possible) violation when dealing with a complaint, 2019 will see it initiating investigations and imposing sanctions more often. The DPA’s stated areas of focus for 2019 include: i) security measures and the legal bases for processing personal data in the healthcare sector, ii) unreported data breaches and iii) trade in personal data.

*The infringements often date from the pre-GDPR era and are therefore assessed and sanctioned according to the Personal Data Protection Act and not the GDPR.

Time is running out. If the deadline is not extended, the UK will leave the EU on 29 March 2019, with or without a deal. For many organizations it is unclear what the effects of Brexit will be on the protection of personal data processed in the UK. What are the implications for transferring personal data to the UK? The implications of transferring personal data will depend on whether or not a deal is reached by the end of March.

Deal scenario

If the British leave with a deal, then the GDPR will remain in force until the end of 2020. This means that, until then, nothing will change with regard to the transfer of personal data to the UK.

However, given the current circumstances, the chance of a no-deal scenario continues to grow and becomes more likely every day. It is therefore vital to start preparing for a no-deal Brexit now.

No-deal scenario

A no-deal Brexit will have a major impact on the transfer of personal data to the UK – regardless of whether the transfer is for instance to the UK branch of a multinational or a British cloud provider. In the event of a no-deal Brexit, the UK will be considered to be a ‘third country’ after 29 March 2019 and will be subject to the rules that are applicable to the transfer of personal data outside the EU.

Personal data may no longer be transferred freely to the UK; data transfer will need to be based on one of the following instruments:

Standard or ad-hoc data protection clauses (the European Commission has prepared three sets of Standard Contractual Clauses that provide an appropriate safeguard);

Binding Corporate Rules (these are codes of conduct that multinationals impose on themselves; these must be approved by the Dutch Data Protection Authority);

Codes of Conduct (these are intended for self-regulation by, for example, industry associations) or Certification Mechanisms (both of which also need to be approved).

The Commission could also consider (in a so-called adequacy decision) that the level of data protection in the UK is in line with European legislation. However, in the event of a no-deal Brexit, an adequacy decision will not be available immediately and the aforementioned instruments will have to be used, at least for the time being.

Five-step preparation

Because different rules will immediately become applicable after 29 March in the event of a no-deal Brexit, it is imperative to start taking steps immediately to prepare for this situation. According to the European Data Protection Board you can do this by means of the following five steps:

Make an inventory, showing if and what personal data transfers are made to organisations (or branches) in the UK.

Choose an instrument; determine which instrument is the best for your situation. For example, in the case of a multinational with a branch in the UK, creating or updating Binding Corporate Rules might be an option; whereas with data processors the Standard Contractual Clauses of the European Commission could be used.

Make sure that whatever instrument you decide on is ready to use on 30 March 2019 (or as of the new deadline if the deadline is extended);

Keep an internal record of the fact that personal data are transferred to the UK, for example, in the processing register and the internal privacy policy.

Amend the privacy statement for data subjects to inform data subjects about the transfer to ‘outside the EU’.

Data transfers from the UK

A no-deal Brexit will not lead to any changes in the reverse situation, i.e. personal data transfers from the UK to an EU country. The British government has stated that data can be freely transferred from the UK to the EU, as is currently the case.

As Brexit may become a reality this month, there is no time to lose in making preparations.